A few weeks ago we passed our upgrade to ISO 27001:2013. We’ve been using ISO 27001 standards for a long time and while we’re in the process of getting our SSAE 16 certification, we decided at an early stage that ISO 27001 was going to be our main focus – thanks in part to its international recognition but mostly due to the fact that it enforces (and assures) a strong Information Security Management System (ISMS). This has been a good choice in Europe where ISO holds more sway, but locally we’re asked time and time again about SSAE 16 SOC 2 reports. ISO 27001 and SSAE 16 are actually drastically different kinds of standards with equally dissonant uses, and while the SOC 2 report does cover a lot of the same ground as ISO 27001 certification, they’re quite different when it comes down to the details.
IT vs. Accountants
At the heart of the difference between these two standards, lie the bodies which provide them. ISO 27001 is provided by the International Standards Organization (ISO) and is a certification and information security management system standard for IT systems. SSAE 16 by the American Institute of Certified Public Accountants (AICPA), is explicitly an attestation certification providing audits on controls for financial service systems, performed by licensed, independent CPAs or firms. ISO has an interest in setting security standards while the AICPA is interested in assuring that the methodologies followed are effective.
ISO 27001 – Multi-industry Standard
ISO 27001 is a risk based framework for establishing, implementing, and improving an organization's ISMS. It is maintained by information security professionals at the ISO and IEC, and certified by independent certification bodies. It requires that the organization has a working ISMS, mitigating risk through the implementation of controls - be it processes, policies, or systems, across departments, personnel, and even industries. It is a complete system for assuring information security, and anyone with this standard has at the very least a solid system for managing their information security.
The ISO 27001 framework defines ISMS policy tailored to the characteristics of the organization with a specific framework for setting objectives and testing effectiveness. Based on this, the organization defines a risk assessment approach; identifies, analyzes and evaluates potential risks; and develops controls to protect against these risks. Finally, the company prepares a statement of applicability which states the controls selected, the reasons for their selection and their implementation.
One should remember that the scope of the ISMS is up to the company, meaning that some parts of the company may be ISO27001 compliant, while others are not.
SSAE 16 SOC 2 – Accounting standard
SSAE 16 on the other hand, is an attestation from an independent certified public accountant or firm that compares the service organization control (SOC) information against their objectives. Of the SOC reports provided, it’s SOC 2 which has the most in common with ISO27001 (though it’s important to remember that SOC 2 is a report and ISO27k is a certification). It is intended to report on the design (type I) and operation (type II) of the service organizations controls that mitigate risks based on the principles of security, availability, processing integrity, confidentiality and privacy. However, not all principles must be met, and SaaS providers can select the principle(s) that best meet their reporting objectives. In essence, there are no clearly defined rules or standards under SSAE 16, and instead the provider is left to create their own security control and principles which are tested by the audit.
The auditing itself is another major differentiator for SSAE 16. Unlike ISO 27001 which certifies that the company is meeting the controls and requirements of the standard, a SSAE 16 audit occurs during a selected time frame, testing the effectiveness of its chosen controls in action.
While both ISO 27001 and SSAE 16 (SOC 2) are information security standards, they have major differences in how they are performed. Rooted in the differences between the ISO and the AICPA, the two differ in the fundamental methodologies of their assurances. ISO 27001 is a certification of an ISMS tested against an established framework, while SSAE is an audit of the processes your company puts in place. But you can be assured either way that the company you engage with, if they have either a certification or SOC report, is prepared to keep your data safe.